Create secret_artifact_test.yml

Author: izefoea

.github/workflows/secret_artifact_test.yml

@@ -0,0 +1,126 @@
+name: Secret and Artifact Leakage Test
+
+on:
+  workflow_dispatch:  # 手动触发
+
+jobs:
+  test:
+    runs-on: self-hosted
+    steps:
+      # 1. 检出代码仓库
+      - name: Checkout Repository
+        uses: actions/checkout@v2
+
+      # 2. 缓存 Node.js 依赖（如果有 package-lock.json）
+      - name: Cache Node modules
+        uses: actions/cache@v2
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
+
+      # 3. 设置 Node.js 环境
+      - name: Setup Node.js
+        uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+
+      # 4. 安装 npm 依赖（如果 package.json 存在）
+      - name: Install npm dependencies
+        run: |
+          if [ -f package.json ]; then
+            npm install
+          else
+            echo "No package.json found. Skipping npm install."
+          fi
+
+      # 5. 安全使用 Secret：通过环境变量引用
+      - name: Safe Secret Usage (Env Variable)
+        env:
+          DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+        run: |
+          echo "Safe usage: DB_PASSWORD is $DB_PASSWORD"
+          # GitHub 会自动将 DB_PASSWORD 的值屏蔽为 ***
+          
+      # 6. 不安全使用 Secret：直接作为参数传递
+      - name: Unsafe Secret Usage (Inline)
+        run: echo "Unsafe usage-- DB_PASSWORD is ${{ secrets.DB_PASSWORD }}"
+        # 此方式风险较高，部分 CLI 工具可能将完整值输出到日志中
+
+      # 7. 将 Secret 写入文件（模拟 Artifact 中泄露敏感信息）
+      - name: Write Secret to File
+        run: echo "Secret in file-- ${{ secrets.DB_PASSWORD }}" > secret.txt
+
+      # 8. 上传包含 Secret 的文件作为 Artifact
+      - name: Upload Secret File Artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: secret-artifact
+          path: secret.txt
+
+      # 9. 缓存 pip 依赖（如果有 requirements.txt）
+      - name: Cache pip packages
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
+
+      # 10. 设置 Python 环境
+      - name: Setup Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.8'
+
+      # 11. 安装 pip 依赖（如果 requirements.txt 存在）
+      - name: Install pip dependencies
+        run: |
+          if [ -f requirements.txt ]; then
+            pip install -r requirements.txt
+          else
+            echo "No requirements.txt found. Skipping pip install."
+          fi
+
+      # 12. Docker 构建：构建当前目录下的 Docker 镜像
+      - name: Build Docker Image
+        run: |
+          if [ -f Dockerfile ]; then
+            docker build -t secret-tester:latest .
+          else
+            echo "No Dockerfile found. Skipping Docker build."
+          fi
+
+      # 13. 将构建的 Docker 镜像保存为 tar 包
+      - name: Save Docker Image to Tarball
+        run: |
+          if docker image inspect secret-tester:latest > /dev/null 2>&1; then
+            docker save secret-tester:latest -o secret-tester.tar
+          else
+            echo "Docker image not built. Skipping save."
+          fi
+
+      # 14. 上传 Docker 镜像 tar 包作为 Artifact（可选）
+      - name: Upload Docker Image Artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: docker-image-artifact
+          path: secret-tester.tar
+
+      # 15. 推送 Docker 镜像到 GitHub Container Registry (GHCR)
+      - name: Push Docker Image to GHCR
+        env:
+          # 需在仓库 Secrets 中设置 CR_PAT (GitHub Personal Access Token)
+          CR_PAT: ${{ secrets.CR_PAT }}
+        run: |
+          # 登录到 GHCR，使用 GitHub 用户名和 PAT
+          echo $CR_PAT | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+          # 输出当前镜像列表（调试用）
+          docker images
+
+          # 标记镜像为 GHCR 格式（格式：ghcr.io/用户名/镜像名:标签）
+          docker tag secret-tester:latest ghcr.io/${{ github.repository_owner }}/secret-tester:latest
+
+          # 再次输出镜像信息以确认标签更改
+          docker images
+
+          # 推送镜像
+          docker push ghcr.io/${{ github.repository_owner }}/secret-tester:latest